This Privacy Policy describes how ShawReply collects, uses, and protects your data. We are based in Toronto, Ontario, Canada.

1. What we collect

From you, the client

• Business information: business name, listing URLs, platform IDs, brand voice preferences, staff names, escalation contact.
• Payment information processed directly by Stripe. We never see or store full card numbers.
• Platform credentials (if you choose to connect a platform for automated posting): stored encrypted.

From third-party platforms

• Publicly posted review content for businesses you have connected.
• Star ratings, reviewer display names as shown on the platform, review text and titles, verified purchase badges, review creation dates, and review URLs.
• We do NOT collect email addresses, phone numbers, or other personal information about reviewers beyond what is publicly visible.

2. How we use it

• Service delivery: to generate responses to reviews on your behalf, post those responses where authorized, and provide analytics and digests.
• Service improvement: approved responses are used as few-shot examples in future prompts for the same client, scoped per-client.
• Billing: to charge subscription and cleanup fees via Stripe.
• Communication: to send operational emails, weekly digests, and product updates.

We do NOT sell your data, share it with advertisers, or use it to train general-purpose AI models.

3. Where your data lives

• Application database: Postgres, encrypted at rest, hosted on Railway.
• AI inference: Anthropic. Review content is sent to Anthropic at generation time. Anthropic does not retain or train on API input by default.
• Email delivery: Resend.
• Payments: Stripe.

4. Data retention

• Active clients: retained for as long as your account is active.
• After cancellation: retained for up to 90 days in case you return, then deleted.
• Audit logs: retained for 1 year, then purged.

5. Your rights

You may request access, correction, deletion, or export of your data at any time by emailing [email protected]. We respond within 30 days.

6. Security

• All data in transit encrypted via HTTPS / TLS 1.3.
• All data at rest in Postgres is encrypted.
• Platform credentials are encrypted at the application layer.
• Production access is limited to the founder and explicitly authorized operators.

7. Healthcare clients (HIPAA note)

For healthcare clients, ShawReply does NOT reference specific medical information in generated responses. ShawReply is not a Business Associate under HIPAA and does not sign BAAs at this time. Clients handling Protected Health Information must ensure reviews connected to us do not contain PHI.

8. International transfers

If you are located outside Canada, your data may be transferred to and processed in Canada, the United States, or the European Union, depending on sub-processor region.

9. Contact

Questions, data requests, or concerns: [email protected]